US20120017097A1 - System And Method For Securely Storing Data In An Electronic Device - Google Patents

System And Method For Securely Storing Data In An Electronic Device Download PDF

Info

Publication number
US20120017097A1
US20120017097A1 US13/259,718 US200913259718A US2012017097A1 US 20120017097 A1 US20120017097 A1 US 20120017097A1 US 200913259718 A US200913259718 A US 200913259718A US 2012017097 A1 US2012017097 A1 US 2012017097A1
Authority
US
United States
Prior art keywords
memory
electronic device
component
data
method recited
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US13/259,718
Other versions
US8839000B2 (en
Inventor
Craig A. Walrath
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Hewlett Packard Development Co LP
Original Assignee
ZTE Corp
Hewlett Packard Development Co LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp, Hewlett Packard Development Co LP filed Critical ZTE Corp
Assigned to ZTE CORPORATION reassignment ZTE CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CAO, GANG
Publication of US20120017097A1 publication Critical patent/US20120017097A1/en
Assigned to HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. reassignment HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: WALRATH, CRAIG A.
Application granted granted Critical
Publication of US8839000B2 publication Critical patent/US8839000B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/86Secure or tamper-resistant housings
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units

Definitions

  • system memory is used as a temporary storage for various types of data.
  • data refers to computer code, control information, software algorithms, operating systems (OSes), applications, security keys, credentials, financial information, personal information or any other sort of useful information.
  • OSes operating systems
  • security keys credentials
  • financial information personal information or any other sort of useful information.
  • hackers are utilizing several new or modified techniques to obtain access to the data stored on a computer system.
  • USB Universal Serial Bus
  • hackers may employ any number of nefarious techniques to retrieve the data stored in the memory of a computer system. Stolen information thus obtained may be used in unauthorized ways to cause harm to the owner of the data.
  • a newer technique used now by hackers is to physically remove memory modules (system memory, graphics memory, or the like) from a user's computer, possibly freezing the memory modules to delay decay of the information contained therein. The hacker subsequently installs the stolen memory modules into another computer to read their contents, since the contents of the system memory are stored in an unencrypted format.
  • FIG. 1 is a block diagram of a computer system according to an exemplary embodiment of the present invention
  • FIG. 2 is a block diagram of a memory subsystem of the computer system shown in FIG. 1 according to an exemplary embodiment of the present invention
  • FIG. 3 is a flow chart showing a method of securely storing data in an electronic device according to an exemplary embodiment of the present invention.
  • FIG. 4 is a flow chart showing an alternative method of securely storing data in an electronic device according to an exemplary embodiment of the present invention.
  • FIG. 1 is a block diagram of a computer system according to an exemplary embodiment of the present invention.
  • the computer system is generally referred to by the reference number 100 .
  • the computer system 100 may comprise hardware elements including circuitry, software elements including computer code stored on a machine-readable medium or a combination of both hardware and software elements.
  • the functional blocks shown in FIG. 1 are but one example of functional blocks that may be implemented in an exemplary embodiment of the present invention. Those of ordinary skill in the art would readily be able to define specific functional blocks based on design considerations for a particular computer system.
  • a processor 102 such as a central processing unit or CPU, is adapted to control the overall operation of the computer system 100 .
  • the processor 102 is connected to a memory controller 104 , which is adapted to read data to and write data from a system memory 106 .
  • the memory controller 104 may comprise memory that includes a non-volatile memory region and a volatile memory region.
  • the system memory 106 may be comprised of a plurality of memory modules, as will be appreciated by one of ordinary skill in the art.
  • the system memory 106 may comprise non-volatile and volatile portions.
  • a system basic input-output system (BIOS) may be stored in a non-volatile portion of the system memory 106 .
  • BIOS is adapted to control a start-up or boot process and to control the low-level operation of the computer system 100 .
  • the processor 102 is connected to at least one system bus 108 to allow communication between the processor 102 and other system devices.
  • the system bus may operate under a standard protocol such as a variation of the Peripheral Component Interconnect (PCI) bus or the like.
  • PCI Peripheral Component Interconnect
  • the system bus 108 connects one or more processors 102 to a hard disk drive 110 , a graphics controller 112 and at least one input device 114 .
  • the hard disk drive 110 provides non-volatile storage to data that is used by the computer system.
  • the graphics controller 112 is in turn connected to a display device 116 , which provides an image to a user based on activities performed by the computer system 100 .
  • an exemplary embodiment of the present invention is adapted to prevent data theft by providing secure communication between components in the computer system 100 .
  • Secure communication would also include the encrypting and storing of information in memory as well as the retrieval of the information and decrypting the information.
  • the memory controller 104 is adapted to provide secure encrypted communication with the system memory 106 .
  • the techniques disclosed herein may be used to provide secure communication between virtually any components in the computer system 100 .
  • the processor 102 and/or the memory controller 104 could be adapted to securely communicate with any of the devices with which they have the capability to exchange data.
  • exemplary embodiments of the present invention may provide secure encrypted data to be stored on and retrieved from the hard disk 110 , the graphics controller 112 , the processor 102 or the memory controller 104 and could have a plurality of memory subsystems within the computer system (e.g. could have an encrypting memory subsystem for the graphics memory).
  • the memory device that stores securely encrypted data may comprise a cache memory or any other memory suitable for use in a given application.
  • FIG. 2 is a block diagram of a memory subsystem of the computer system shown in FIG. 1 according to an exemplary embodiment of the present invention.
  • the memory subsystem is generally referred to by the reference number 200 .
  • the memory subsystem 200 comprises the memory controller 104 and the system memory 106 .
  • the system memory 106 may be divided into a plurality of memory regions, which may correspond to different uses or types of memory.
  • the system memory contains a first memory region 216 and a second memory region 218 . Additional memory regions may also exist, as indicated by an an n th memory region 218 .
  • an exemplary embodiment of the present invention may employ a different random encryption key and/or a different level of encryption for different regions of memory.
  • secure transfer of data may be initiated in a wide range of circumstances.
  • a secure communication path may be initiated by generating a random encryption key when the computer system 100 is rebooted or otherwise receives a system reset.
  • Secure communication could be initiated by generating a random encryption key when the computer system 100 resumes operation after hibernation, whether a system reset is needed to resume operation or not.
  • a random encryption key could be generated when the computer system 100 resumes operation following a standby state.
  • Secure communication may additionally be initiated by forcing a system memory encryption refresh, which could generate new encryption keys for all or a portion of the memory to which data is being written. Random encryption keys could additionally be generated based on dates and/or time such as at a specific time of day or after a preset time period has expired.
  • a random encryption key is generated and transmitted to the memory controller 104 .
  • the random encryption key may be stored in an encryption key storage region 202 .
  • the encryption key storage region 202 may comprise a non-volatile region of memory or a volatile region of memory.
  • the encryption key storage region 202 may be used to store a plurality of random encryption keys.
  • the encryption key storage region 202 may store a first encryption key 204 and a second encryption key 206 . More encryption keys may be stored, as indicated by an n th encryption key 208 . The use of the plurality of encryption keys is explained in detail herein.
  • the encryption key storage region 202 comprises a write-only/write-once register that is reset via system reset. As explained in detail below, the random encryption key is used to encrypt data that is written to the system memory 106 .
  • the memory controller 104 is contained in a first integrated circuit device and the system memory 106 is contained in a second integrated circuit device.
  • the encryption key may be generated in a number of ways.
  • the encryption key may be generated by a management engine associated with the computer system 100 .
  • An example of a management engine comprises the Intel® Management Engine available from Intel Corporation of Santa Clara, Calif.
  • the encryption key could additionally be generated based on and responsive to user input, such as input from an administrator, a system management command or the like.
  • the encryption key could, for example, be generated by system components such as the processor 102 , the memory controller 104 , a Trusted Platform Module (TPM) or the like.
  • TPM Trusted Platform Module
  • the encryption key could be received via an enterprise connection.
  • the random encryption key may be generated by a system BIOS, which performs various initialization functions when the computer system 100 is booted. In one exemplary embodiment of the present invention, the random encryption key is generated without using data that could be discovered by reverse engineering any integrated circuit device in the computer system 100 .
  • a plurality of random encryption keys are generated and selectively used by the memory controller 104 to encrypt data.
  • the plurality of random encryption keys may be generated, for example, by the memory controller 104 .
  • the plurality of random encryption keys may be provided by another component of the computer system 100 , such as the system BIOS.
  • different areas of the system memory 106 could be encrypted with different random encryption keys. Different encryption keys could be used for each page in the system memory 106 . In other exemplary embodiments, multiple encryption keys could be used for each page of memory. Different encryption keys could be used for different devices or different types of memory. In addition, different encryption keys could be used for different regions of memory depending on how the region is used.
  • an OS area of memory may be encrypted with a different random encryption key relative to a non-OS program area of memory and a user data area of memory.
  • Different encryption keys could be used for cache memory relative to system memory and different encryption keys could be used for volatile memory relative to non-volatile memory.
  • Different random encryption keys could be used during different modes of operation. The use of multiple random encryption keys makes it difficult for a hacker to use a number generator to identify all of the random encryption keys used to encrypt the contents of the system memory 106 .
  • an encryption block 210 of the memory controller 104 uses the current random encryption key to encrypt all data that is written to the system memory 106 .
  • data Prior to being delivered to the encryption block 204 , data may be buffered in a write buffer 212 .
  • any appropriate methodology of encryption may be used to encrypt data, depending on system design considerations.
  • a relatively simple, fast method of encryption such as an XOR method may be used to minimize the effect on system performance.
  • More robust methodologies of encryption may be used to make decoding data more difficult for hackers.
  • a stronger level of encryption may reduce system performance, but has the benefit of making it more difficult for hackers to decrypt the data.
  • Different levels of encryption may be chosen depending on a number of factors, such as the mode of operation of the system (start-up mode, configuration mode, build time mode, enterprise and/or system management mode, normal operating mode or the like).
  • levels of encryption may be used depending on the user (whether the user has administrative privileges, for example).
  • the level of encryption may vary by user and/or the rights of the user on the system. For example, a more secure level of encryption may be used if the user has administrator rights on the system.
  • variable levels of encryption may be used for different areas of memory or different types of memory.
  • those of ordinary skill in the art will appreciate that the specific encryption algorithm employed by the encryption block 210 is not an essential feature of the present invention.
  • a simple encryption algorithm such as an XOR algorithm may be used by the encryption block 210 to minimize the impact on throughput of the memory subsystem 200 .
  • An exemplary XOR algorithm comprises performing an XOR operation using the data written to system memory and the random encryption key.
  • the following example illustrates how an exemplary embodiment of the present invention provides enhanced security for data stored in system memory. Assume that data elements A and B are to be written to system memory after having been XOR encrypted using a random encryption key R. This process may be described using the following equations:
  • encrypted data When encrypted data is read from the system memory 106 , it is decrypted by a decryption block 214 within the memory controller 104 .
  • the decryption block 214 performs the decryption using the random encryption key that was used to perform the encryption of the data by the encryption block 210 .
  • the decrypted data may then be provided to the processor 102 .
  • An exemplary embodiment of the present invention provides enhanced data security by writing only encrypted data to the system memory 106 .
  • an exemplary embodiment of the present invention reduces the risk that a hacker or other potential data thief would be able to recover the encryption key and gain access to data that was encrypted with the particular random encryption key and subsequently stored in the system memory 106 .
  • the memory controller 104 could not be reverse engineered or “stripped” to determine the key because the value of the key would not be present in the encryption key storage region 202 upon removal of power to the memory controller. This would prevent access to data which had been encrypted using the particular random encryption key even if the data stored in the system memory was somehow preserved, for example, by freezing memory modules comprising the system memory or the like.
  • FIG. 3 is a flow chart showing a method of operating a protected system memory such as the system memory 106 ( FIG. 1 ) according to an exemplary embodiment of the present invention.
  • the method is generally referred to by the reference number 300 .
  • the method begins.
  • a plurality of random encryption keys are generated.
  • the plurality of random encryption keys are stored in a first component of an electronic device such as the computer system 100 ( FIG. 1 ).
  • Data is encrypted using a different one of the plurality of random encryption keys for each of a plurality of memory regions of a second component of the electronic device, as shown at block 308 .
  • the encrypted data is transferred to the memory of the second component of the electronic device, as shown at block 310 .
  • the method ends.
  • FIG. 4 is a flow chart showing an alternative method of securely storing data in an electronic device according to an exemplary embodiment of the present invention.
  • the method is generally referred to by the reference number 400 .
  • the method begins.
  • At block 404 at least one random encryption key is generated.
  • the at least one random encryption key is stored in a memory region of a first component of an electronic device, as shown at block 406 .
  • data is encrypted at a plurality of different encryption levels using the at least one random encryption key.
  • the encrypted data is transferred to a memory of a second component of the electronic device, as shown at block 410 .
  • the method ends.
  • An exemplary embodiment of the present invention provides a secure method of communication between a memory controller and a system memory comprised, for example, of a plurality of memory modules. Such an exemplary embodiment protects system memory from a wide range of hacker attacks.
  • an exemplary embodiment of the present invention is adapted to protect system memory from physical attacks and boot attacks.
  • standard memory components and modules may be used. No additional effort is required when a new generation of memory technology is introduced.
  • An exemplary embodiment of the present invention provides system memory security without significantly impacting system performance and without impacting operating system and software application performance.
  • an exemplary embodiment of the present invention may be implemented with minimal impact on overall system cost and complexity.

Abstract

There is provided an enhanced method of securely storing and retrieving information in an electronic device. The method comprises generating a plurality of random encryption keys and storing the plurality of random encryption keys in a memory region of a first component of the electronic device. The method may additionally comprise encrypting data using a different one of the plurality of random encryption keys for each of a plurality of regions of a memory of a second component of the electronic device. The method may also comprise transferring encrypted data to the memory of the second component of the electronic device.

Description

    BACKGROUND
  • In a typical computer system, system memory is used as a temporary storage for various types of data. As used herein, the term “data” refers to computer code, control information, software algorithms, operating systems (OSes), applications, security keys, credentials, financial information, personal information or any other sort of useful information. In recent times, hackers are utilizing several new or modified techniques to obtain access to the data stored on a computer system.
  • For example, they may steal an operating computer system, such as a notebook computer, not only for the computer itself, but also for the data stored on the system. Even if the system is locked (with a password, for example), a hacker may be able to reboot the system (for example, with a Universal Serial Bus (USB) token) while leaving the contents of the system memory intact.
  • Moreover, hackers may employ any number of nefarious techniques to retrieve the data stored in the memory of a computer system. Stolen information thus obtained may be used in unauthorized ways to cause harm to the owner of the data. A newer technique used now by hackers is to physically remove memory modules (system memory, graphics memory, or the like) from a user's computer, possibly freezing the memory modules to delay decay of the information contained therein. The hacker subsequently installs the stolen memory modules into another computer to read their contents, since the contents of the system memory are stored in an unencrypted format.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • Certain exemplary embodiments are described in the following detailed description and in reference to the drawings, in which:
  • FIG. 1 is a block diagram of a computer system according to an exemplary embodiment of the present invention;
  • FIG. 2 is a block diagram of a memory subsystem of the computer system shown in FIG. 1 according to an exemplary embodiment of the present invention;
  • FIG. 3 is a flow chart showing a method of securely storing data in an electronic device according to an exemplary embodiment of the present invention; and
  • FIG. 4 is a flow chart showing an alternative method of securely storing data in an electronic device according to an exemplary embodiment of the present invention.
    •  DETAILED DESCRIPTION OF SPECIFIC EMBODIMENTS
  • FIG. 1 is a block diagram of a computer system according to an exemplary embodiment of the present invention. The computer system is generally referred to by the reference number 100. Those of ordinary skill in the art will appreciate that the computer system 100 may comprise hardware elements including circuitry, software elements including computer code stored on a machine-readable medium or a combination of both hardware and software elements. Additionally, the functional blocks shown in FIG. 1 are but one example of functional blocks that may be implemented in an exemplary embodiment of the present invention. Those of ordinary skill in the art would readily be able to define specific functional blocks based on design considerations for a particular computer system.
  • A processor 102, such as a central processing unit or CPU, is adapted to control the overall operation of the computer system 100. The processor 102 is connected to a memory controller 104, which is adapted to read data to and write data from a system memory 106. The memory controller 104 may comprise memory that includes a non-volatile memory region and a volatile memory region.
  • The system memory 106 may be comprised of a plurality of memory modules, as will be appreciated by one of ordinary skill in the art. In addition, the system memory 106 may comprise non-volatile and volatile portions. A system basic input-output system (BIOS) may be stored in a non-volatile portion of the system memory 106. The system BIOS is adapted to control a start-up or boot process and to control the low-level operation of the computer system 100.
  • The processor 102 is connected to at least one system bus 108 to allow communication between the processor 102 and other system devices. The system bus may operate under a standard protocol such as a variation of the Peripheral Component Interconnect (PCI) bus or the like. In the exemplary embodiment shown in FIG. 1, the system bus 108 connects one or more processors 102 to a hard disk drive 110, a graphics controller 112 and at least one input device 114. The hard disk drive 110 provides non-volatile storage to data that is used by the computer system. The graphics controller 112 is in turn connected to a display device 116, which provides an image to a user based on activities performed by the computer system 100.
  • As set forth in detail below, an exemplary embodiment of the present invention is adapted to prevent data theft by providing secure communication between components in the computer system 100. Secure communication would also include the encrypting and storing of information in memory as well as the retrieval of the information and decrypting the information. In one exemplary embodiment described in detail below, the memory controller 104 is adapted to provide secure encrypted communication with the system memory 106. Those of ordinary skill in the art, however, will appreciate that the techniques disclosed herein may be used to provide secure communication between virtually any components in the computer system 100. For example, the processor 102 and/or the memory controller 104 could be adapted to securely communicate with any of the devices with which they have the capability to exchange data. Moreover, exemplary embodiments of the present invention may provide secure encrypted data to be stored on and retrieved from the hard disk 110, the graphics controller 112, the processor 102 or the memory controller 104 and could have a plurality of memory subsystems within the computer system (e.g. could have an encrypting memory subsystem for the graphics memory). The memory device that stores securely encrypted data may comprise a cache memory or any other memory suitable for use in a given application.
  • FIG. 2 is a block diagram of a memory subsystem of the computer system shown in FIG. 1 according to an exemplary embodiment of the present invention. The memory subsystem is generally referred to by the reference number 200. The memory subsystem 200 comprises the memory controller 104 and the system memory 106. The system memory 106 may be divided into a plurality of memory regions, which may correspond to different uses or types of memory. In the exemplary embodiment of the present invention shown in FIG. 2, the system memory contains a first memory region 216 and a second memory region 218. Additional memory regions may also exist, as indicated by an an nth memory region 218. As set forth below, an exemplary embodiment of the present invention may employ a different random encryption key and/or a different level of encryption for different regions of memory.
  • According to an exemplary embodiment of the present invention, secure transfer of data may be initiated in a wide range of circumstances. For example, a secure communication path may be initiated by generating a random encryption key when the computer system 100 is rebooted or otherwise receives a system reset. Secure communication could be initiated by generating a random encryption key when the computer system 100 resumes operation after hibernation, whether a system reset is needed to resume operation or not. Similarly, a random encryption key could be generated when the computer system 100 resumes operation following a standby state. Secure communication may additionally be initiated by forcing a system memory encryption refresh, which could generate new encryption keys for all or a portion of the memory to which data is being written. Random encryption keys could additionally be generated based on dates and/or time such as at a specific time of day or after a preset time period has expired.
  • In the exemplary embodiment shown in FIG. 2, a random encryption key is generated and transmitted to the memory controller 104. The random encryption key may be stored in an encryption key storage region 202. The encryption key storage region 202 may comprise a non-volatile region of memory or a volatile region of memory. The encryption key storage region 202 may be used to store a plurality of random encryption keys. For example, the encryption key storage region 202 may store a first encryption key 204 and a second encryption key 206. More encryption keys may be stored, as indicated by an nth encryption key 208. The use of the plurality of encryption keys is explained in detail herein.
  • In one exemplary embodiment of the present invention, the encryption key storage region 202 comprises a write-only/write-once register that is reset via system reset. As explained in detail below, the random encryption key is used to encrypt data that is written to the system memory 106. In one exemplary embodiment of the present invention, the memory controller 104 is contained in a first integrated circuit device and the system memory 106 is contained in a second integrated circuit device.
  • Those of ordinary skill in the art will appreciate that the encryption key may be generated in a number of ways. For example, the encryption key may be generated by a management engine associated with the computer system 100. An example of a management engine comprises the Intel® Management Engine available from Intel Corporation of Santa Clara, Calif. The encryption key could additionally be generated based on and responsive to user input, such as input from an administrator, a system management command or the like. The encryption key could, for example, be generated by system components such as the processor 102, the memory controller 104, a Trusted Platform Module (TPM) or the like. In addition, the encryption key could be received via an enterprise connection. The random encryption key may be generated by a system BIOS, which performs various initialization functions when the computer system 100 is booted. In one exemplary embodiment of the present invention, the random encryption key is generated without using data that could be discovered by reverse engineering any integrated circuit device in the computer system 100.
  • In one exemplary embodiment of the present invention, a plurality of random encryption keys are generated and selectively used by the memory controller 104 to encrypt data. The plurality of random encryption keys may be generated, for example, by the memory controller 104. Alternatively, the plurality of random encryption keys may be provided by another component of the computer system 100, such as the system BIOS. According to an exemplary embodiment of the present invention, different areas of the system memory 106 could be encrypted with different random encryption keys. Different encryption keys could be used for each page in the system memory 106. In other exemplary embodiments, multiple encryption keys could be used for each page of memory. Different encryption keys could be used for different devices or different types of memory. In addition, different encryption keys could be used for different regions of memory depending on how the region is used. For example, an OS area of memory may be encrypted with a different random encryption key relative to a non-OS program area of memory and a user data area of memory. Different encryption keys could be used for cache memory relative to system memory and different encryption keys could be used for volatile memory relative to non-volatile memory. Different random encryption keys could be used during different modes of operation. The use of multiple random encryption keys makes it difficult for a hacker to use a number generator to identify all of the random encryption keys used to encrypt the contents of the system memory 106.
  • In the exemplary embodiment of the present invention shown in FIG. 2, an encryption block 210 of the memory controller 104 uses the current random encryption key to encrypt all data that is written to the system memory 106. Prior to being delivered to the encryption block 204, data may be buffered in a write buffer 212.
  • Those of ordinary skill in the art will appreciate that any appropriate methodology of encryption may be used to encrypt data, depending on system design considerations. Moreover, a relatively simple, fast method of encryption such as an XOR method may be used to minimize the effect on system performance. More robust methodologies of encryption may be used to make decoding data more difficult for hackers. Those of ordinary skill in the art will appreciate that a stronger level of encryption may reduce system performance, but has the benefit of making it more difficult for hackers to decrypt the data. Different levels of encryption may be chosen depending on a number of factors, such as the mode of operation of the system (start-up mode, configuration mode, build time mode, enterprise and/or system management mode, normal operating mode or the like). In addition, different levels of encryption may be used depending on the user (whether the user has administrative privileges, for example). The level of encryption may vary by user and/or the rights of the user on the system. For example, a more secure level of encryption may be used if the user has administrator rights on the system. In addition, variable levels of encryption may be used for different areas of memory or different types of memory. Moreover, those of ordinary skill in the art will appreciate that the specific encryption algorithm employed by the encryption block 210 is not an essential feature of the present invention.
  • In one exemplary embodiment of the present invention, a simple encryption algorithm such as an XOR algorithm may be used by the encryption block 210 to minimize the impact on throughput of the memory subsystem 200. An exemplary XOR algorithm comprises performing an XOR operation using the data written to system memory and the random encryption key. The following example illustrates how an exemplary embodiment of the present invention provides enhanced security for data stored in system memory. Assume that data elements A and B are to be written to system memory after having been XOR encrypted using a random encryption key R. This process may be described using the following equations:

  • A⊕R=C

  • B⊕R=D
  • where C is the encrypted version of A and D is the encrypted version of B. The encrypted data C and D are stored in system memory rather than A or B themselves. With some mathematical manipulation, the following result is obtained:

  • C⊕D=A⊕B
  • Thus, a knowledgeable hacker might be able to manipulate data from a stolen memory module to recreate some conglomeration of A and B. Nonetheless, it would remain extremely difficult to obtain A and B themselves without access to the random encryption key R. The use of an exemplary embodiment of the present invention significantly increases the difficulty of making an unauthorized recovery of data from system memory
  • When encrypted data is read from the system memory 106, it is decrypted by a decryption block 214 within the memory controller 104. The decryption block 214 performs the decryption using the random encryption key that was used to perform the encryption of the data by the encryption block 210. The decrypted data may then be provided to the processor 102. An exemplary embodiment of the present invention provides enhanced data security by writing only encrypted data to the system memory 106.
  • If the encryption key storage region 202 comprises a volatile memory, an exemplary embodiment of the present invention reduces the risk that a hacker or other potential data thief would be able to recover the encryption key and gain access to data that was encrypted with the particular random encryption key and subsequently stored in the system memory 106. The memory controller 104 could not be reverse engineered or “stripped” to determine the key because the value of the key would not be present in the encryption key storage region 202 upon removal of power to the memory controller. This would prevent access to data which had been encrypted using the particular random encryption key even if the data stored in the system memory was somehow preserved, for example, by freezing memory modules comprising the system memory or the like.
  • FIG. 3 is a flow chart showing a method of operating a protected system memory such as the system memory 106 (FIG. 1) according to an exemplary embodiment of the present invention. The method is generally referred to by the reference number 300. At block 302, the method begins.
  • At block 304, a plurality of random encryption keys are generated. As shown at block 306, the plurality of random encryption keys are stored in a first component of an electronic device such as the computer system 100 (FIG. 1).
  • Data is encrypted using a different one of the plurality of random encryption keys for each of a plurality of memory regions of a second component of the electronic device, as shown at block 308. The encrypted data is transferred to the memory of the second component of the electronic device, as shown at block 310. At block 312, the method ends.
  • FIG. 4 is a flow chart showing an alternative method of securely storing data in an electronic device according to an exemplary embodiment of the present invention. The method is generally referred to by the reference number 400. At block 402, the method begins.
  • At block 404, at least one random encryption key is generated. The at least one random encryption key is stored in a memory region of a first component of an electronic device, as shown at block 406.
  • At block 408, data is encrypted at a plurality of different encryption levels using the at least one random encryption key. The encrypted data is transferred to a memory of a second component of the electronic device, as shown at block 410. At block 412, the method ends.
  • An exemplary embodiment of the present invention provides a secure method of communication between a memory controller and a system memory comprised, for example, of a plurality of memory modules. Such an exemplary embodiment protects system memory from a wide range of hacker attacks. In particular, an exemplary embodiment of the present invention is adapted to protect system memory from physical attacks and boot attacks. Moreover, standard memory components and modules may be used. No additional effort is required when a new generation of memory technology is introduced. An exemplary embodiment of the present invention provides system memory security without significantly impacting system performance and without impacting operating system and software application performance. Finally, an exemplary embodiment of the present invention may be implemented with minimal impact on overall system cost and complexity.

Claims (15)

1. A method of securely storing data in an electronic device, the method comprising:
generating a plurality of random encryption keys;
storing the plurality of random encryption keys in a memory region of a first component of the electronic device;
encrypting data using a different one of the plurality of random encryption keys for each of a plurality of regions of a memory of a second component of the electronic device; and
transferring encrypted data to the memory of the second component of the electronic device.
2. The method recited in claim 1, wherein each of the plurality of regions of the memory of the second component of the electronic device corresponds to a memory page.
3. The method recited in claim 1, wherein each of the plurality of regions of the memory of the second component of the electronic device corresponds to a particular type of memory.
4. The method recited in claim 3, wherein at least one of the plurality of regions of the memory of the second component of the electronic device corresponds to a cache region of memory, a non-volatile region of memory or a volatile region of memory.
5. The method recited in claim 1, wherein at least one of the plurality of regions of the memory of the second component of the electronic device corresponds to an operating system area of memory, a non-OS program area of memory or a user data area of memory.
6. The method recited in claim 1, comprising:
reading encrypted data from the second component of the electronic device; and
decrypting the encrypted data read from the second component of the electronic device using the one of the plurality of random encryption keys used to encrypt the data.
7. The method recited in claim 1, wherein at least one of the plurality of random encryption keys is generated by a basic input/output system (BIOS) of the electronic device, by a processor of the electronic device, by a memory controller of the electronic device, by a trusted platform module (TPM) of the electronic device, in response to a user input, when the electronic device when the electronic device is booted, when the electronic device resumes operation from a hibernate or suspend state, when a system reset of the electronic device occurs, at a particular time of day or after a preset time period has expired.
8. A method of securely storing data in an electronic device, the method comprising:
generating at least one random encryption key;
storing the at least one random encryption key in a memory region of a first component of the electronic device;
encrypting data at a plurality of different encryption levels using the at least one random encryption key; and
transferring encrypted data to a memory of a second component of the electronic device.
9. The method recited in claim 8, wherein the memory of the second component comprises a plurality of memory types, and wherein a different one of the plurality of different encryption levels is used depending on the type of memory of the second component in which encrypted data is to be stored.
10. The method recited in claim 9, wherein a first type of the plurality of memory types comprises a cache region of memory, a non-volatile region of memory or a volatile region of memory.
11. The method recited in claim 8, comprising:
reading encrypted data from the second component of the electronic device; and
decrypting the encrypted data read from the second component of the electronic device using the one of the plurality of different encryption levels used to encrypt the data.
12. The method recited in claim 8, wherein a different one of the plurality of different encryption levels is used depending on a mode of the electronic device.
13. The method recited in claim 8, wherein a first one of the plurality of different encryption levels comprises XOR encryption.
14. The method recited in claim 8, wherein the at least one random encryption key is generated by a basic input/output system (BIOS) of the electronic device, by a processor of the electronic device, by a memory controller of the electronic device, by a trusted platform module (TPM) of the electronic device, in response to a user input, when the electronic device when the electronic device is booted, when the electronic device resumes operation from a hibernate or suspend state, when a system reset of the electronic device occurs, at a particular time of day or after a preset time period has expired.
15. A computer system, comprising:
a hard disk that is adapted to store data for use by the computer system;
a processor that is adapted to read data stored on the hard disk; and
a first component that is adapted receive a plurality of random encryption keys, to store the plurality of random encryption keys in a memory region, to encrypt data using a different one of the plurality of encryption keys for each of a plurality of regions of a memory of a second component of the computer system, to encrypt data at a plurality of different encryption levels using at least one of the plurality of random encryption keys, and to transfer encrypted data to the memory of the second component of the computer system.
US13/259,718 2009-03-23 2009-03-23 System and method for securely storing data in an electronic device Active US8839000B2 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2009/037950 WO2010110780A1 (en) 2009-03-23 2009-03-23 System and method for securely storing data in an electronic device

Publications (2)

Publication Number Publication Date
US20120017097A1 true US20120017097A1 (en) 2012-01-19
US8839000B2 US8839000B2 (en) 2014-09-16

Family

ID=42781286

Family Applications (1)

Application Number Title Priority Date Filing Date
US13/259,718 Active US8839000B2 (en) 2009-03-23 2009-03-23 System and method for securely storing data in an electronic device

Country Status (5)

Country Link
US (1) US8839000B2 (en)
CN (1) CN102362280A (en)
DE (1) DE112009004491T5 (en)
GB (1) GB2481161B (en)
WO (1) WO2010110780A1 (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100296651A1 (en) * 2009-05-21 2010-11-25 Freescale Semiconductor, Inc. Encryption apparatus and method therefor
US20120170749A1 (en) * 2011-01-05 2012-07-05 International Business Machines Corporation Secure management of keys in a key repository
US20130179696A1 (en) * 2012-01-09 2013-07-11 Imation Corp. Secure Removable Drive System
US20130205139A1 (en) * 2010-10-05 2013-08-08 Craig A. Walrath Scrambling An Address And Encrypting Write Data For Storing In A Storage Device
JP2014022944A (en) * 2012-07-18 2014-02-03 Canon Inc Information processing device and method for activating the same
US9378156B2 (en) * 2014-10-03 2016-06-28 Dell Products L.P. Information handling system secret protection across multiple memory devices
US20160246964A1 (en) * 2015-02-24 2016-08-25 Dell Products, Lp Method to Protect BIOS NVRAM from Malicious Code Injection by Encrypting NVRAM Variables and System Therefor
US20160378686A1 (en) * 2015-06-24 2016-12-29 Intel Corporation Memory encryption exclusion method and apparatus
WO2017111985A1 (en) * 2015-12-21 2017-06-29 Hewlett-Packard Development Company, L.P. Key generation information trees
TWI615732B (en) * 2016-12-27 2018-02-21 瑞昱半導體股份有限公司 Electronic component of electronic device, method of starting electronic device and encryption method
WO2018100246A1 (en) * 2016-11-30 2018-06-07 Widlund Sam Method and arrangement for encrypting data
US20190171829A1 (en) * 2017-12-06 2019-06-06 International Business Machines Corporation Secure data storage and access during transition operations
CN110309083A (en) * 2019-06-28 2019-10-08 兆讯恒达微电子技术(北京)有限公司 A kind of memory data method for scrambling
US20190361605A1 (en) * 2018-05-22 2019-11-28 Toshiba Memory Corporation Memory system and method of controlling nonvolatile memory
CN111916132A (en) * 2019-05-09 2020-11-10 爱思开海力士有限公司 Memory module, operation method thereof, memory system and operation method thereof
US20210373909A1 (en) * 2020-05-27 2021-12-02 Mettler-Toledo (Albstadt) Gmbh Method for operating an electronic data processing system and electronic data processing system
EP3929786A1 (en) * 2020-06-26 2021-12-29 Intel Corporation Generating keys for persistent memory
US11461460B2 (en) * 2017-12-04 2022-10-04 British Telecommunications Public Limited Company Software container application encryption

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8744078B2 (en) * 2012-06-05 2014-06-03 Secure Channels Sa System and method for securing multiple data segments having different lengths using pattern keys having multiple different strengths
US9148281B2 (en) 2013-03-05 2015-09-29 International Business Machines Corporation Random number generation
US10223289B2 (en) * 2015-07-07 2019-03-05 Qualcomm Incorporated Secure handling of memory caches and cached software module identities for a method to isolate software modules by means of controlled encryption key management
CN110309678B (en) * 2019-06-28 2021-03-19 兆讯恒达科技股份有限公司 Memory scrambling method
US10868679B1 (en) * 2019-07-25 2020-12-15 Cypress Semiconductor Corporation Nonvolatile memory device with regions having separately programmable secure access features and related methods and systems

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6115816A (en) * 1996-12-18 2000-09-05 Intel Corporation Optimized security functionality in an electronic system
US20020188855A1 (en) * 2001-06-07 2002-12-12 Keisuke Nakayama Fingerprint authentication unit and authentication system
US20030115446A1 (en) * 2001-12-17 2003-06-19 International Business Machines Corporation System and method for verifying database security across multiple platforms
US20050182952A1 (en) * 2004-02-12 2005-08-18 Sony Corporation Information processing apparatus and method and computer program
US7069447B1 (en) * 2001-05-11 2006-06-27 Rodney Joe Corder Apparatus and method for secure data storage
US20060250585A1 (en) * 2005-05-09 2006-11-09 Anderson Daryl E Encrypting data
US7284133B2 (en) * 2001-10-30 2007-10-16 Hitachi, Ltd. Information processing unit
US20080025504A1 (en) * 2005-11-23 2008-01-31 Robert Rapp Computer or digital device data encryption/decryption performed by using a random analog source
US20080285747A1 (en) * 2007-05-14 2008-11-20 Samsung Electronics Co., Ltd. Encryption-based security protection method for processor and apparatus thereof
US20080310636A1 (en) * 2005-01-19 2008-12-18 Bennett Charles H Access-controlled encrypted recording system for site, interaction and process monitoring

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2082146C (en) * 1991-10-29 2005-11-15 Brendan Beahan Communications security and trusted path method and means
CN1265494A (en) * 2000-04-24 2000-09-06 后健慈 Enciphered and deciphered memory and its access controlling method
US7277542B2 (en) 2000-09-25 2007-10-02 Broadcom Corporation Stream cipher encryption application accelerator and methods thereof
KR100692425B1 (en) * 2001-09-28 2007-03-09 하이 덴시티 디바이시스 에이에스 Method and device for encryption/decryption of data on mass storage device
US7035953B2 (en) 2002-05-03 2006-04-25 Hewlett-Packard Development Company, L.P. Computer system architecture with hot pluggable main memory boards
US7269739B2 (en) 2002-05-30 2007-09-11 International Business Machines Corporation Method and system for allowing for the secure transmission and reception of data in a processing system
US7392415B2 (en) * 2002-06-26 2008-06-24 Intel Corporation Sleep protection
US7500098B2 (en) 2004-03-19 2009-03-03 Nokia Corporation Secure mode controlled memory
CN100333746C (en) 2005-02-23 2007-08-29 上海中医药大学附属曙光医院 Method for preparing Chinese medicine preparation for treating chronic conjestive heart-failure
KR101426479B1 (en) * 2007-04-17 2014-08-05 삼성전자주식회사 System for protecting data of storage and method thereof

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6115816A (en) * 1996-12-18 2000-09-05 Intel Corporation Optimized security functionality in an electronic system
US7069447B1 (en) * 2001-05-11 2006-06-27 Rodney Joe Corder Apparatus and method for secure data storage
US20020188855A1 (en) * 2001-06-07 2002-12-12 Keisuke Nakayama Fingerprint authentication unit and authentication system
US7284133B2 (en) * 2001-10-30 2007-10-16 Hitachi, Ltd. Information processing unit
US20030115446A1 (en) * 2001-12-17 2003-06-19 International Business Machines Corporation System and method for verifying database security across multiple platforms
US20050182952A1 (en) * 2004-02-12 2005-08-18 Sony Corporation Information processing apparatus and method and computer program
US20080310636A1 (en) * 2005-01-19 2008-12-18 Bennett Charles H Access-controlled encrypted recording system for site, interaction and process monitoring
US20060250585A1 (en) * 2005-05-09 2006-11-09 Anderson Daryl E Encrypting data
US20080025504A1 (en) * 2005-11-23 2008-01-31 Robert Rapp Computer or digital device data encryption/decryption performed by using a random analog source
US20080285747A1 (en) * 2007-05-14 2008-11-20 Samsung Electronics Co., Ltd. Encryption-based security protection method for processor and apparatus thereof

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100296651A1 (en) * 2009-05-21 2010-11-25 Freescale Semiconductor, Inc. Encryption apparatus and method therefor
US8379846B2 (en) * 2009-05-21 2013-02-19 Freescale Semiconductor, Inc. Encryption apparatus and method therefor
US20130205139A1 (en) * 2010-10-05 2013-08-08 Craig A. Walrath Scrambling An Address And Encrypting Write Data For Storing In A Storage Device
US9397834B2 (en) * 2010-10-05 2016-07-19 Hewlett-Packard Development Company, L.P. Scrambling an address and encrypting write data for storing in a storage device
US20120170749A1 (en) * 2011-01-05 2012-07-05 International Business Machines Corporation Secure management of keys in a key repository
US8630418B2 (en) * 2011-01-05 2014-01-14 International Business Machines Corporation Secure management of keys in a key repository
US8724817B2 (en) 2011-01-05 2014-05-13 International Business Machines Corporation Secure management of keys in a key repository
US20130179696A1 (en) * 2012-01-09 2013-07-11 Imation Corp. Secure Removable Drive System
US8949622B2 (en) * 2012-01-09 2015-02-03 Imation Corp. Secure removable drive system
JP2014022944A (en) * 2012-07-18 2014-02-03 Canon Inc Information processing device and method for activating the same
US9378156B2 (en) * 2014-10-03 2016-06-28 Dell Products L.P. Information handling system secret protection across multiple memory devices
US10146942B2 (en) * 2015-02-24 2018-12-04 Dell Products, Lp Method to protect BIOS NVRAM from malicious code injection by encrypting NVRAM variables and system therefor
US20160246964A1 (en) * 2015-02-24 2016-08-25 Dell Products, Lp Method to Protect BIOS NVRAM from Malicious Code Injection by Encrypting NVRAM Variables and System Therefor
US20160378686A1 (en) * 2015-06-24 2016-12-29 Intel Corporation Memory encryption exclusion method and apparatus
EP3314443A4 (en) * 2015-06-24 2019-03-20 Intel Corporation Memory encryption exclusion method and apparatus
US10848305B2 (en) 2015-12-21 2020-11-24 Hewlett-Packard Development Company, L.P. Key generation information trees
WO2017111985A1 (en) * 2015-12-21 2017-06-29 Hewlett-Packard Development Company, L.P. Key generation information trees
WO2018100246A1 (en) * 2016-11-30 2018-06-07 Widlund Sam Method and arrangement for encrypting data
TWI615732B (en) * 2016-12-27 2018-02-21 瑞昱半導體股份有限公司 Electronic component of electronic device, method of starting electronic device and encryption method
US11461460B2 (en) * 2017-12-04 2022-10-04 British Telecommunications Public Limited Company Software container application encryption
US11151266B2 (en) * 2017-12-06 2021-10-19 International Business Machines Corporation Secure data storage and access during transition operations
US20190171829A1 (en) * 2017-12-06 2019-06-06 International Business Machines Corporation Secure data storage and access during transition operations
US20190361605A1 (en) * 2018-05-22 2019-11-28 Toshiba Memory Corporation Memory system and method of controlling nonvolatile memory
US10936226B2 (en) * 2018-05-22 2021-03-02 Toshiba Memory Corporation Memory system and method of controlling nonvolatile memory
US11513707B2 (en) 2018-05-22 2022-11-29 Kioxia Corporation Memory system and method of controlling nonvolatile memory
US11775192B2 (en) 2018-05-22 2023-10-03 Kioxia Corporation Memory system and method of controlling nonvolatile memory
CN111916132A (en) * 2019-05-09 2020-11-10 爱思开海力士有限公司 Memory module, operation method thereof, memory system and operation method thereof
US11409668B2 (en) * 2019-05-09 2022-08-09 SK Hynix Inc. Memory module, operation method of memory module, memory system, and operation method of memory system
TWI813815B (en) * 2019-05-09 2023-09-01 韓商愛思開海力士有限公司 Memory module, operation method of memory module, memory system, and operation method of memory system
CN110309083A (en) * 2019-06-28 2019-10-08 兆讯恒达微电子技术(北京)有限公司 A kind of memory data method for scrambling
US20210373909A1 (en) * 2020-05-27 2021-12-02 Mettler-Toledo (Albstadt) Gmbh Method for operating an electronic data processing system and electronic data processing system
EP3929786A1 (en) * 2020-06-26 2021-12-29 Intel Corporation Generating keys for persistent memory
US11861020B2 (en) 2020-06-26 2024-01-02 Intel Corporation Generating keys for persistent memory

Also Published As

Publication number Publication date
GB2481161B (en) 2014-08-13
US8839000B2 (en) 2014-09-16
WO2010110780A1 (en) 2010-09-30
GB201116379D0 (en) 2011-11-02
DE112009004491T5 (en) 2012-09-06
GB2481161A (en) 2011-12-14
CN102362280A (en) 2012-02-22

Similar Documents

Publication Publication Date Title
US8839000B2 (en) System and method for securely storing data in an electronic device
US9251358B2 (en) System and method for providing secure access to system memory
US9397834B2 (en) Scrambling an address and encrypting write data for storing in a storage device
US8386797B1 (en) System and method for transparent disk encryption
US7392415B2 (en) Sleep protection
US5949882A (en) Method and apparatus for allowing access to secured computer resources by utilzing a password and an external encryption algorithm
KR102013841B1 (en) Method of managing key for secure storage of data, and and apparatus there-of
US20080072071A1 (en) Hard disc streaming cryptographic operations with embedded authentication
US10061718B2 (en) Protecting secret state from memory attacks
US20090110191A1 (en) Techniques For Encrypting Data On Storage Devices Using An Intermediate Key
US8539250B2 (en) Secure, two-stage storage system
US20120237024A1 (en) Security System Using Physical Key for Cryptographic Processes
US20080195872A1 (en) Method and Device for Protecting Data Stored in a Computing Device
Müller et al. A systematic assessment of the security of full disk encryption
US20100250959A1 (en) Security for storage devices
US20080076355A1 (en) Method for Protecting Security Accounts Manager (SAM) Files Within Windows Operating Systems
WO2022127464A1 (en) Crypto-erasure of data stored in key per io-enabled device via internal action
JP2020030527A (en) Storage device and program
CN111177773B (en) Full disk encryption and decryption method and system based on network card ROM
US20130198528A1 (en) Modifying a Length of an Element to Form an Encryption Key
Dorrendorf Protecting drive encryption systems against memory attacks
McGregor et al. Braving the cold: New methods for preventing cold boot attacks on encryption keys
CN215576603U (en) Hard disk medium encryption device
JP2023136601A (en) Software management device, software management method, and program

Legal Events

Date Code Title Description
AS Assignment

Owner name: ZTE CORPORATION, CHINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CAO, GANG;REEL/FRAME:026968/0576

Effective date: 20110919

AS Assignment

Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P., TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:WALRATH, CRAIG A.;REEL/FRAME:027784/0008

Effective date: 20090319

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551)

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8